About this Guide This guide provides procedures to help you maintain Fabric OS 5.2.x running in your Storage Area Network (SAN). ® NOTE: At the time of printing, IBM Fibre Connections (FICON ) is not supported on HP B-Series Fibre Channel switches.

Intended audience This guide is intended for: • System administrators responsible for setting up HP StorageWorks Fibre Channel SAN switches • Technicians responsible for maintaining the Fabric Operating System (OS) Related documentation Documentation, including white papers and best practices documents, is available on the HP web site: http://www.hp.com/support/manuals Scroll to the storage section of the web page.

CAUTION: Indicates that failure to follow directions could result in damage to equipment or data. IMPORTANT: Provides clarifying information or specific instructions. NOTE: Provides additional information. TIP: Provides helpful hints and shortcuts. HP technical support Telephone numbers for worldwide technical support are listed on the HP support web site: http://www.hp.com/support/.

Introducing Fabric OS CLI procedures This chapter summarizes procedures for configuring and managing an HP StorageWorks SAN using the Fabric OS Command Line Interface (CLI). The guide applies to the following product models: • HP StorageWorks switches: 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, 4/64 SAN Switch, and 400 MP Router These models contain a fixed number of ports (they are fixed-port switches).

There are several methods that you can use to configure a switch. These are listed with their respective documents: • Command Line Interface (CLI) • A telnet session into logical switches • A telnet session into active and standby CPs for Director class switches •...

Help information Each Fabric OS command provides Help information that explains the command function, its possible operands, its level in the command hierarchy, and additional pertinent information. Displaying command Help Connect to the switch and log in as admin. To display a list of all command help topics for a given login level, enter the help command with no user arguments.

Performing basic configuration tasks This chapter contains procedures for performing basic switch configuration tasks using the Fabric OS Command Line Interface (CLI). Ideally, you should perform the initial configuration of a switch prior to introducing the switch into the fabric, or during a scheduled maintenance window to minimize fabric disruption. Connecting to the CLI Connect to the CLI either through a telnet or SSH connection or through a console session on the serial port.

Enter the account ID at the login prompt. ”Setting the default account passwords” on page 24 for instructions on how to log in for the first time. Enter the password. The default password is: password If you have not changed the system passwords from the default, you are prompted to change them. Enter the new system passwords, or press Ctrl-c to skip the password prompts.

The default accounts on the switch are admin, user, root, and factory. Use the default administrative account as shown in Table 4, to log in to the switch for the first time and to perform the basic configuration tasks described in this chapter. Every logical switch (domain) has a set of default accounts.

How to change default passwords at login Connect to the switch and log in as admin. The default password for all default accounts is: password At each of the “Enter new password” prompts, either enter a new password or skip the prompt. Press Enter to skip a prompt.

How to display network interface settings If an IP address has not been assigned to the network interface (Ethernet), you must connect to the Fabric OS CLI using a console session on the serial port, see ”How to connect via the serial port”...

Enter the network information in dotted quad format for Ethernet IP address, Ethernet Subnetmask, and Gateway Address at the prompts. If a static Ethernet address is not available when you disable DHCP, enter 0.0.0.0 at the Ethernet IP address prompt. Skip Fibre Channel prompts by pressing enter. Disable DHCP by entering Off.

You can set the time zone for a switch using the tsTimeZone command. The tsTimeZone command allows you to: • Display all of the time zones supported in the firmware • Set the time zone based on a Country and City combination or based on a time zone ID such as PST See the tsTimeZone command in the Fabric OS Command Reference Manual for more detailed information about the command parameters.

How to set the time zone interactively Type the tsTimeZone command as follows: switch:admin> tstimezone --interactive Select a general location: Please identify a location so that time zone rules can be set correctly. Please select a continent or ocean. Africa Americas Antarctica Arctic Ocean...

Maintaining licensed software features If you purchased an HP StorageWorks Power Pack switch model, optional software licenses are included with the licensed Power Pack supplied with switch software. If you did not purchased an HP StorageWorks Power Pack switch model, you can purchase licenses separately from HP.

How to generate or activate a license key If you already have a license key, go to step 6 to activate. If you do not have a license key, launch an Internet browser and go to: http://webkey.external.hp.com/welcome.asp. The HP StorageWorks Software License Key instruction page opens: Figure 1 HP StorageWorks license key screen Enter the requested information in the required fields.

The licensed features currently installed on the switch are listed. If the feature is not listed, reissue the licenseAdd command. d. Some features may require additional configuration, or you might need to disable and re-enable the switch to make them operational; refer to the feature documentation for details.. switch:admin>...

Customizing a switch name Switches can be identified by IP address, Domain ID, World Wide Name (WWN), or by customized switch names that are unique and meaningful. For Fabric OS 4.x (and later) switch names can be from 1 to 15 characters long, must begin with a letter, and can contain letters, numbers, or the underscore character.

Customizing the chassis name Beginning with Fabric OS 4.4.x, it is recommended that you customize the chassis name for each switch. Some system logs identify switches by chassis names, so if you assign meaningful chassis names in addition to meaningful switch names, logs will be more useful. How to change the chassis name Connect to the switch and log in as admin.

For instructions, see ”Maintaining licensed software features” on page 33. Use the portenable command to enable the ports. Optionally, use the portShow command to verify the newly activated ports. If you remove a Ports on Demand license, the licensed ports will become disabled after the next platform reboot or the next port deactivation.

The example above shows output from a switch has manually assigned POD licenses. Activating Dynamic Ports on Demand If the switch is in the Static POD mode, then activating the Dynamic POD will erase any prior port license assignments the next time the switch is rebooted. The static POD assignments become the initial Dynamic POD assignments.

switch:admin> licenseport --method static The POD method has been changed to static. Please reboot the switch now for this change to take effect. Enter the reboot command to restart the switch. switch:admin> reboot Enter the licensePort --show command to verify that switch started the Static POD feature. switch:admin>...

If port reservations available, then enter the licensePort --reserve command to reserve a license for the port. switch:admin> licenseport -reserve 0 If all port reservations are assigned, then select a port to release its POD license. You must disable the port first by entering portdisable <port num>.

Enter the licensePort --show command to verify that the port is no longer assigned to a POD set. switch:admin> licenseport --show 24 ports are available in this switch Full POD license is installed Dynamic POD method is in use 24 port assignments are provisioned for use in this switch: 12 port assignments are provisioned by the base switch license 12 port assignments are provisioned by a full POD license 10 ports are assigned to installed licenses:...

HP StorageWorks SAN Director 2/128 and 4/256 SAN Director: Enter the following command: switch:admin> portdisable slotnumber/portnumber slotnumber portnumber where are the slot and port numbers of the port you want to disable. How to enable a port Connect to the switch and log in as admin. HP StorageWorks 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, SAN Switch 4/32, 4/64 SAN Switch, and 400 MP Router: Enter the following command:...

ISL mode L0 is available on all Fabric OS releases. When you upgrade from Fabric OS 4.0.0 to Fabric 4.1.0 or later, all extended ISL ports are set automatically to L0 mode. For information on extended ISL modes, which enable longer distance interswitch links, refer to ”Administering Extended Fabrics”...

Refer to the Fabric OS Command Reference Manual for more information about the portCfgIslMode command. Checking status You can check the status of switch operation, high availability features, and fabric connectivity. How to verify switch operation Connect to the switch and log in as admin. Enter the switchShow command at the command line.

How to display the status of the track changes feature Connect to the switch and log in as admin. Enter the trackChangesShow command. The status of the track changes feature is displayed as either on or off. The display includes whether the track changes feature is configured to send SNMP traps: switch:admin>...

parameter is set to 3, the status of the switch will change if 3 ports fail. Only one policy parameter needs to pass the MARGINAL or DOWN threshold to change the overall status of the switch. For more information about setting policy parameters, refer to the Fabric Watch Administrator’s Guide. How to set the switch status policy threshold values Connect to the switch and log in as admin.

Configuring the audit log When managing SANs, you may wish to filter, or audit, certain classes of events to ensure that you can view and generate a paper trail, or “audit log,” for what is happening on a switch, particularly for security elated event changes.

How to configure an audit log for specific event classes Connect to the switch from which you wish to generate an audit log and log in as admin. Enter the auditCfg --class command, which defines the specific event classes to be filtered. switch:admin>...

To power off a switch gracefully (5.1.0 and later) Connect to the switch and log in as admin. Enter the sysShutdown command. At the prompt, type y. switch:admin> sysshutdown This command will shutdown the operating systems on your switch. You are required to power-cycle the switch in order to restore operation. Are you sure you want to shutdown the switch [y/n]?y Wait until the following message displays: Broadcast message from root (ttyS0) Wed Jan 25 16:12:09 2006...

Role Permissions Table 10 describes the types of permissions that are assigned to roles. Table 10 Permission types Abbreviation Definition Description Observe The user can run commands using options that display information only, such as running userConfig --show -a to show all users on a switch. Modify The user can run commands using options that create, change, and delete objects on the system, such as running userconfig --change...

Configuring the authentication model This section explains how to configure authentication of the switch management channel connections. Fabric OS 5.2.x and higher supports use of both the local user database and RADIUS service at the same time. Use the aaaConfig command to set the authentication model for Fabric OS switch management channel connection authentication model as shown in Table NOTE:...

About the default accounts Fabric OS provides the following predefined accounts in the switch-local user database. Change the password for all defaults during the initial installation and configuration, see Table Table 13 Default Local User Accounts Account Name Role Admin Description domain user...

How to change account parameters When changing account parameters, if you change the ADlist for the user account, all of the currently active sessions for that account will be logged out. Connect to the switch and log in. Enter the following command: rolename userconfig --change username [-r ] [-h admindomain_ID]...

removed from the existing list. If the –h argument is not specified, the home Admin Domain will either remain as it was or will be the lowest Admin Domain ID in the remaining list. Recovering accounts The following conditions apply to recovering user accounts: •...

How to change the password for a different account Connect to the switch and log in. Enter the following command: name passwd where name is the name of the account. Enter the requested information at the prompts. Configuring the local user database This section covers the following topics: •...

How to accept the user database Connect to the switch. Enter the following command: fddCfg --localaccept PWD where PWD is one of the three supported database policies. Supported policy databases are SCC, DCC, PWD. How to reject distributed user databases Connect to the switch.

not allowed because it is incompatible Web Tools. The default value is zero. The maximum value must be less than or equal to the MinLength value. • MinLength Specifies the minimum length of the password. The minimum can be from 8 to 40 characters. New passwords must between the minimum length specified and 40 characters.

Upgrade and downgrade considerations If you are upgrading from a 5.0.x environment to 5.2.x, the existing password databases do not contain the state information that implements password expiration. So, when the password expiration policy is first set after an upgrade to 5.2.x, any user who has not changed their password will have their password expiration period set to the maximum password expiration period.

Creating Fabric OS user accounts With RADIUS servers, set up user accounts by their true network wide identity rather than by the account names created on a Fabric OS switch. Along with each account name, assign appropriate switch access roles. RADIUS supports all the defined RBAC roles described in Table 9 on page 55.

Windows 2000 IAS For example, to configure a Windows 2000 IAS server to use VSA to pass the “Admin” role to the switch in the dial-in profile, the configuration specifies the Vendor code (1588), Vendor-assigned attribute number (1), and attribute value (admin), as shown in the following: Linux FreeRadius server For the configuration on a Linux FreeRadius server, define the following in a vendor dictionary file called dictionary.brocade.

RADIUS configuration and admin domains When configuring users with Admin Domains, you must also include the Admin Domain member list. This section describes the way that you configure attribute types for this configuration. key=val[;key=val] The values for the new attribute types use the syntax , where is a text description of value...

servers do not respond (because of power failure or network problems), the switch uses local authentication. Consider the following effects of the use of RADIUS service on other Fabric OS features: • When RADIUS service is enabled, all account passwords must be managed on the RADIUS server. The Fabric OS mechanisms for changing switch passwords remain functional;...

Linux The following procedures work for FreeRADIUS on Solaris and Red Hat Linux. FreeRADIUS is a freeware RADIUS server that you can find at: www.freeradius.org Follow the installation instructions at the web site. FreeRADIUS runs on Linux (all versions), FreeBSD, NetBSD, and Solaris.

Clients are the switches that will be using the RADIUS server; each client must be defined. By default, all IP addresses are blocked. On dual-CP switches (SAN Director 2/128 and 4/256 Director), the switch sends its RADIUS request using the IP address of the active CP. When adding clients, add both the active and standby CP IP addresses so that users can still log in the event of a failover.

How to configure RADIUS users From the Windows Start menu, select Programs > Administrative Tools > Computer Management to open the Computer Management window. In the Computer Management window, expand the Local Users and Groups folder and select the Groups folder. Right-click the Groups folder and select New Group from the pop-up menu.

How to display the current RADIUS configuration Connect to the switch and log in as admin. Enter this command: switch:admin> aaaConfig --show If a configuration exists, its parameters are displayed. If RADIUS service is not configured, only the parameter heading line is displayed. Parameters include: The order in which servers are contacted to provide service Position The server names or IP addresses...

How to enable and disable a RADIUS server Connect to the switch and log in as admin. Enter this command to enable RADIUS + local: switch:admin> aaaconfig --radiuslocal Local is used if the user authentication fails on the RADIUS server. Or to enable RADIUS + localbackup: switch:admin>...

Enabling and disabling local authentication as backup It is useful to enable local authentication so that the switch can take over authentication locally if the RADIUS servers fail to respond because of power outage or network problems. To enable or disable local authentication, enter the appropriate command: switch:admin>...

If a password was previously set, the following messages display: Send the following string to Customer Support for password recovery: afHTpyLsDo1Pz0Pk5GzhIw== Enter the supplied recovery password. Recovery Password: Enter the recovery password (string). The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security.

The recovery string must be between 8 and 40 alphanumeric characters. A random string that is 15 characters or longer is recommended for higher security. The firmware only prompts for this password once. It is not necessary to remember the recovery string because it is displayed the next time you enter the command shell.

NOTE: The passwd command only applies to the boot PROM password when it is entered from the boot interface. Enter the boot PROM password at the prompt, then reenter it when prompted. The password must be eight alphanumeric characters (any additional characters are not recorded). Record this password for future use.

Connect to the active CP blade by serial or telnet and enter the haEnable command to restore high availability. Recovering user, admin, and factory passwords If you know the root password, you can use this procedure to recover the user, admin, and factory passwords.

Configuring standard security features This chapter provides information and procedures for configuring standard Fabric OS security features such as account and password management. Additional security features are available by purchasing the optional Secure Fabric OS feature. For information about licensed security features available in Secure Fabric OS, refer to the Secure Fabric OS Administrator’s Guide.

The security protocols are designed with the four main usage cases described in Table Table 18 Main security scenarios Fabric Management Comments interfaces Nonsecure Nonsecure No special setup is needed to use telnet or HTTP. An HP switch certificate must be installed if sectelnet is used.

Fabric OS 4.1.0 and later supports SSH protocol v2.0 (ssh2). For more information on SSH, refer to the SSH IETF web site: http://www.ietf.org/ids.by.wg/secsh.html Refer to SSH, The Secure Shell: The Definitive Guide by Daniel J. Barrett, Richard Silverman. Fabric OS 4.4.0 and later comes with the SSH server preinstalled; however, you must select and install the SSH client.

Blocking listeners HP StorageWorks switches block Linux subsystem listener applications that are not used to implement supported features and capabilities. Table 19 lists the listener applications that switches either block or do not start. Table 19 Blocked Listener Applications Listener SAN Director 2/128 and 4/8 SAN Switch and 4/16 SAN Switch, application...

Port Configuration lists the ports used. This table provides the information to make it clearer when configuring the switch, taking into consideration firewalls and other devices that may sit between switches in the fabric or between the managers and the switch. Table 21 Port information Port...

Browser and Java support Fabric OS supports the following Web browsers for SSL connections: • Internet Explorer (Microsoft Windows) • Mozilla (Solaris and Red Hat Linux) In countries that allow the use of 128-bit encryption, you should use the latest version of your browser. For example, Internet Explorer 6.0 and later supports 128-bit encryption by default.

Each CA (for example, Verisign or GeoTrust) has slightly different requirements; for example, some generate certificates based on IP address, while others require an FQDN, and most require a 1024-bit public/private key while some might accept a 2048-bit key. Consider your fabric configuration, check CA Web sites for requirements, and gather all the information that the CA requires.

If you are set up for secure file copy protocol, you can select it; otherwise, select ftp. Enter the IP address of the switch on which you generated the CSR. Enter the remote Directory name of the FTP server to which the CSR is to be sent.

Activating a switch certificate Enter the configure command and respond to the prompts that apply to SSL certificates: Type yes. SSL attributes Certificate File Enter the name of the switch certificate file: for example, 192.1.2.3.crt. CA Certificate File If you want the CA name to be displayed in the browser window, enter the name of the CA certificate file;...

name Browse to the certificate location and select the certificate. (For example, select Root.crt.) Click Open and follow the instructions to import the certificate. Installing a root certificate to the Java Plug-in For information on Java requirements, refer to ”Browser and Java support”...

Troubleshooting certificates If you receive messages in the browser or in a pop-up window when logging in to the target switch using HTTPS, refer to Table Table 24 SSL Messages and Actions Message Action The page cannot be displayed The SSL certificate is not installed correctly or HTTPS is not enabled correctly.

You can also use these additional MIBs and their associated traps: • FICON-MIB (for FICON environments) • HA-MIB (for SAN Director 2/128 models) • SW-EXTTRAP Includes the swSsn (Software Serial Number) as a part of SW traps. It is also used in conjunction with the legacy 6400 integrated fabrics product to provide detailed group information for a particular trap.

Using legacy commands for SNMPv1 You should use the snmpConfig command to configure the SNMPv1 agent and traps (refer to ”Using the snmpConfig command” on page 94). However, if necessary for backward compatibility, you can choose to use legacy commands. Sample SNMP agent configuration information switch:admin>...

Sample modification of the SNMP configuration values switch:admin> agtcfgset Customizing MIB-II system variables ... At each prompt, do one of the followings: o <Return> to accept current value, o enter the appropriate new value, o <Control-D> to skip the rest of configuration, or o <Control-C>...

Configuring advanced security This chapter provides information and procedures for configuring advanced Fabric OS 5.2.x security feature, Access Control Lists (ACL) policies for FC port and switch binding. NOTE: Run all commands in this chapter by logging in to Administrative Domain (AD) 255 or if Administrative Domains have not been implemented log in to AD 0.

Configuring ACL policies All policy modifications are saved in volatile memory until those changes are saved or activated. You can create multiple sessions to the switch from one or more hosts. However, Fabric OS allows only one ACL transaction at a time. If a second ACL transaction is started, it fails. The Secure Fabric OS and Fabric OS SCC and DCC policies are not interchangeable.

Displaying ACL policies Use the secPolicyShow command to display the Active and Defined policy sets. The following example shows a switch that has no SCC and DCC policies. secPolicyShow displays the following information: • Active Policy Set—The policies that are being enforced. •...

Table 25 DCC policy states Policy state Characteristics Policy with no entries Any device can connect to any switch port in the fabric. An empty policy is the same as no policy. Policy with entries If a device WWN is specified in a DCC policy, that device is only allowed access to the switch if connected by a switch port listed in the same policy.

The member contains device or switch port information: deviceportWWN;switch(port) where: WWN of the device port. deviceportWWN Either the switch WWN, domain ID, or switch name. The switch port can be specified by port or area number. Designating ports automatically includes the devices currently attached to those ports.

Fabric OS is disabled; policies created in Fabric OS are deleted when Secure Fabric OS is enabled. Back up SCC policies before enabling or disabling Secure Fabric OS. The SCC policy is used to restrict which switches can join the fabric. Switches are checked against the policy each time an E_Port-to-E_Port connection is made.

To activate changes Connect to the switch and log in. Type the secPolicyActivate command: switch:admin> secpolicyactivate About to overwrite the current Active data. ARE YOU SURE (yes, y, no, n): [no] y Adding a member to an existing policy Add members to the ACL policies by using the secPolicyAdd command. As soon as a policy has been activated, the aspect of the fabric managed by that policy is enforced.

Aborting all uncommitted changes Use the secPolicyAbort command to abort all ACL policy changes that have not yet been saved. To abort all unsaved changes Connect to the switch and log in. Type the secPolicyAbort command: switch:admin> secpolicyabort Unsaved data has been aborted. All changes since the last time the secPolicySave or secPolicyActivate commands were entered are aborted.

Error returned indicating that the distribution setting must be accept before you can set the fabric-wide consistency policy. Configuring the database distribution settings The distribution settings control whether a switch accepts or rejects distributions of databases from other switches and whether or not the switch may initiate a distribution. Configure the distribution setting to reject when maintaining the database on a per-switch basis.

Enter the following command: <database_ID> fddCfg --localaccept Default setting. Allows local database to be overwritten with databases localaccept received from other switches. Allows local database to be manually or automatically distributed to other switches. A semicolon-separated list of the local databases to be distributed, either database_id SCC and/or DCC.

Enter the following command: distribute -p <database_id> -d <switch_list> A semicolon-separated list of the local databases to be distributed: SCC database_id and/or DCC. A is a semicolon-separated list of switch Domain IDs, switch names, or switch_list switch WWN addresses of the target switches that will received the distribution.

disabled. If the strict SCC and DCC fabric-wide consistency policies match, the corresponding SCC and DCC ACL policies are compared. The enforcement of fabric-wide consistency policy involves comparison of only the Active policy set.If the ACL polices match, the switch joins the fabric successfully. If the ACL policies are absent either on the switch or on the fabric, the switch joins the fabric successfully, and the ACL policies are copied automatically from where they are present to where they are absent.

Non-matching fabric-wide consistency policies You may encounter one of the following two scenarios: • Merging a fabric with a strict policy to a fabric with an absent, tolerant, or non-matching strict policy. The merge fails and the ports are disabled. Table 32 shows merges that are not supported: Table 32...

Maintaining configurations It is important to maintain consistent configuration settings on all switches in the same fabric, because inconsistent parameters (such as inconsistent PID formats) can cause fabric segmentation. As part of standard configuration maintenance procedures, it is recommended that you back up all important configuration data for every switch on a host computer server for emergency reference.

Before beginning, verify that you can reach the FTP server from the switch. Using a telnet connection, save a backup copy of the configuration file from a logical switch to a host computer as follows: To upload a configuration file Verify that the FTP service is running on the host computer.

NOTE: The configuration file is printable, but you might want to see how many pages will be printed before you send it to the printer; you might not want to print a lot of pages if it is too long. Troubleshooting configuration upload If the configuration upload fails, it may be because: •...

Configuration download without disabling a switch Starting in Fabric OS 5.2.x, you can download configuration files to a switch while the switch is enabled, that is, you do not need to disable the switch for changes in SNMP, Fabric Watch, and ACL parameters. only when When you use the configDownload command, you will be prompted to disable the switch necessary...

NOTE: Because some configuration parameters require a reboot to take effect, after you download a configuration file you must reboot to be sure that the parameters are enabled. Before the reboot, this type of parameter is listed in the configuration file, but it is not effective until after the reboot. Security considerations Security parameters and the switch's identity cannot be changed by configDownload.

Restoring configurations in a FICON environment If the switch is operating in a FICON CUP environment, and the ASM (active=saved) bit is set on, then the switch ignores the IPL file downloaded when you restore a configuration. Table 35 describes this behavior in more detail.

Managing administrative domains This chapter describes the concepts and procedures for using the administrative domain feature introduced in Fabric OS 5.2.x and contains the following topics: About administrative domains Administrative Domain (Admin Domain or AD) is a logical grouping of fabric elements that defines what switches, ports, and devices you can view and modify.

Figure 2 Fabric with two admin domains Figure 3 shows how users get a filtered view of this fabric, depending on which Admin Domain they are in. Users can see all switches and E_Ports in the fabric, regardless of their Admin Domain; however, the switch ports and end devices are filtered based on Admin Domain membership.

System-defined administrative domains When you install Fabric OS 5.2.x firmware, the switch enters AD-capable mode with domains AD0 and AD255 automatically created. AD0 and AD255 are special Admin Domains. AD0 and AD255 always exist and cannot be deleted or renamed. They are reserved for use in creation and management of Admin Domains.

AD255 Figure 4 Fabric with AD0 and AD255 Admin domain access levels Admin Domains offer a hierarchy of administrative access. To manage Admin Domains, you must be a physical fabric administrator. A “physical fabric administrator” is a user with the Admin role and access to all Admin Domains (AD0 through AD255). Other administrative access is determined by your defined RBAC role and AD membership.

Admin domains and login You are always logged in to an Admin Domain, and you can view and modify only the devices in that Admin Domain. If you have access to more than one Admin Domain, one of them will have been specified as your “home Admin Domain,”...

Admin domain compatibility and availability Admin Domains maintain continuity of service for Fabric OS 5.2.x features and operate in mixed-release fabric environments. High availability is supported along with some backward compatibility. The following sections describe the continuity features of Admin Domain usage. Admin domains and merging When an E_Port comes online, the adjacent switches merge their AD databases.

Managing admin domains This section is for physical fabric administrators who are managing Admin Domains. You must be a physical fabric administrator to perform the tasks in this section. • ”Implementing admin domains” on page 137 • ”Creating an admin domain”...

Implementing admin domains To begin implementing an Admin Domain structure within your SAN, you must first set the default zone mode to No Access. You must be in AD0 to change the default zone mode. You can use the defZone --show command to see the current default zone mode setting.

Optional: To end the transaction now, enter ad --save to save the Admin Domain definition or enter ad --apply to save the Admin Domain definition and directly apply the definitions to the fabric. The following example creates Admin Domain AD1, consisting of two switches, which are designated by domain ID and switch WWN.

To assign Admin Domains to an existing user account Connect to the switch and log in as admin. Enter the userConfig --addad command using the -a option to provide access to Admin Domains and the -h option to specify the home Admin Domain. username home_AD AD_list...

To deactivate an Admin Domain Connect to the switch and log in as admin. Disable the zone configuration under the Admin Domain you want to deactivate. Switch to the AD255 context, if you are not already in that context. ad --select 255 Enter the ad --deactivate option.

Optional: To end the transaction now, enter ad --save to save the Admin Domain definition or enter ad --apply to save the Admin Domain definition and directly apply the definitions to the fabric. The following example removes port 5 of domain 100 and port 3 of domain 1 from AD1. sw5:AD255:admin>...

Deleting all user-defined Admin Domains When you clear the Admin Domain configuration, all user-defined Admin Domains are deleted, the explicit membership list of AD0 is cleared, and all fabric resources (switches, ports, and devices) are returned to the implicit membership list of AD0. You cannot clear the Admin Domain configuration if zone configurations exist in any of the user-defined Admin Domains.

Using Admin Domains This section is for users and administrators and describes how you use Admin Domains. If you are a physical fabric administrator and you want to create, modify, or otherwise manage Admin Domains, see ”Managing admin domains” on page 136. The Admin Domain looks like a virtual switch or fabric to a user.

Displaying an Admin Domain configuration The ad --show option displays the membership information and zone database information of the specified Admin Domain. When you perform the show option in: • AD255, if you do not specify the AD_name or number, all information about all existing Admin Domains is displayed.

The following example switches to the AD12 context. Note that the prompt changes to display the Admin Domain. sw5:admin> ad --select 12 sw5:AD12:admin> Performing zone validation If you are working with zones, you should be aware that there is an Admin Domain impact. Zone objects can be part of an Admin Domain.

Table 41 Admin Domain interaction with Fabric OS features (continued) Fabric OS feature Admin Domain interaction You can create LSAN zones as a physical fabric administrator or as an individual AD administrator. The LSAN zone can be part of the root zone database or the AD zone database.

Zoning operations ignore any resources not in the Admin Domain, even if they are specified in the zone. The behavior functions similarly to specifying offline devices in a zone. All zones from each Admin Domain zoneset are enforced. The enforcement policy encompasses zones in the effective zoneset of the root zone database and the effective zonesets of each AD.

Configuration upload and download in an AD context The behavior of configUpload and configDownload varies depending on the AD context and whether the switch is a member of the current Admin Domain. In the AD context, these commands include only the zone configuration of the current Admin Domain. If the switch is a member of the Admin Domain, all switch configuration parameters are saved and the zone database for that Admin Domain is also saved.

Effects of firmware changes on accounts and passwords The following table describes what happens to accounts and passwords when you replace the switch firmware with a different version. Table 43 Effects of firmware changes on accounts and passwords Change First time Subsequent times (after upgrade, then downgrade, then upgrade)

(or in some cases 4.4.x or lower) and the check finds that one of these exception cases is true, firmware download will fail and an error message will be displayed. It is recommended that you perform a configUpload to back up the current configuration before you download firmware to a switch.

Verify that the compact flash usage is not above 90%. If the compact flash usage is above 90%, contact HP. NOTE: If running Fabric OS 4.2.x or earlier, enter the supportShow command and verify the above compact flash information by searching the output of the supportShow command. (Optional) Enter the errClear command to erase all existing messages in addition to internal messages.

firmware. The firmwareDownload command defaults to an autocommit option that automatically copies the firmware from one partition to the other. You should not override autocommit under normal circumstances; use the default. Refer to Testing and restoring firmware-on Directors, page 161 for details about overriding the autocommit option. Summary of the firmware download process The following summary describes the default behavior after you enter the firmwareDownload command (without options) on 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN...

Respond to the prompts as follows: Server Name Enter the name or IP address of the FTP server where the firmware file is or IP Address stored; for example, 192.1.2.3. You can enter a server name if DNS is enabled. User name Enter the user name of your account on the server;...

Summary of firmware downloads on Director models You can download firmware to SAN Director 2/128 and 4/256 SAN Director without disrupting the overall fabric if the two CP blades are installed and fully synchronized. Use the haShow command to confirm synchronization. If only one CP blade is powered on, the switch must reboot to activate firmware, which is disruptive to the overall fabric.

SAN Director 2/128 and 4/256 SAN Director firmware download procedure There is one logical switch address for a 4/256 SAN Director, and up to two logical switch addresses for the SAN Director 2/128, but either can be used on the SAN Director 2/128 to effect a firmwaredownload (either logical switch).

Respond to the prompts as follows: Server Name Enter the name or IP address of the server where the firmware file is stored: or IP Address for example, 192.1.2.3. You can enter a server name if DNS is enabled. User name Enter the user name of your account on the server: for example, JohnDoe.

Optionally, after the failover, connect to the switch, log in again as admin. Using a separate telnet session, enter the firmwareDownloadStatus command to monitor the firmware download status. switch:admin> firmwaredownloadstatus [1]: Fri Sep 22 09:45:15 2006 Slot 5 (CP0, active): Firmware is being downloaded to standby CP. This step may take up to 30 minutes.

3. Commit the firmware a. Enter the firmwareCommit command to update the secondary partition with new firmware. Note that it takes several minutes to complete the commit operation. b. Enter the firmwareShow command to confirm both partitions on the switch contain the new firmware.

10. Restore firmware on the “new” standby CP a. Wait one minute and start a telnet session on the new standby CP, which is the old active CP. b. Enter the firmwareRestore command. The standby CP will reboot and the telnet session will end.

NOTE: You cannot perform a firmware downgrade from Fabric OS 5.2.x or higher if administrative domains are configured in the fabric. See ”Managing administrative domains” on page 157 for details. When the primary and secondary CPs in a 4/256 SAN Director are running pre-Fabric OS 5.2.x and are in HA-Sync, if firmware is downloaded to upgrade only one CP (using the firmwareDownload –s option), that CP will run in an AD-unaware mode (AD creation operations will fail and the local switch will appear as an AD-unaware switch in the fabric).

For more information on any of the commands in the Recommended Action section, see the Fabric OS Command Reference. NOTE: Some of the messages include error codes (as shown in the example below). These error codes are for internal use only and you can disregard them. Example: Port configuration with EX ports enabled along with trunking for port(s) 63, use the portcfgexport, portcfgvexport, and/or portcfgtrunkport commands to remedy this.

Message Only platform options 1, 2, 5 are supported by version 5.1. Use chassisconfig to reset the option before downloading the firmware. Probable Cause and Recommended Action The firmware download operation was attempting to upgrade a system to Fabric OS v5.1.0. The chassisConfig option was set to 3 or 4, which is not supported in v5.1.0, so the firmware download operation was aborted.

Message Cannot download to 5.1 because Device Based routing policy is not supported by 5.1. Use aptPolicy change the routing policy before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to upgrade a system to Fabric OS v5.1.0 with device-based routing policy selected.

Message The command failed due to presence of long-distance ports in LS mode. Please remove these settings before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.0.0 or lower with long-distance ports in LS mode.

Message The command failed due to one or more ports having both long-distance and ISL R_RDY Modes enabled. Use portcfglongdistance and portcfgislmode to disable it before proceeding. Probable Cause and Recommended Action The firmwareDownload operation was attempting to downgrade a system to Fabric OS v.0.0 or lower with both long-distance and ISL R_RDY modes enabled.

Message Cannot downgrade due to presence of port mirror connections. Use portmirror --delete to remove these mirror connections before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower with Port Mirroring enabled.

Message The command failed due to the presence of an Admin Domain. Use the command to remedy this before proceeding. Probable Cause and Recommended Action The firmware download operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower with Admin Domain (AD) enabled on the system.

Message The command failed because IPSec is enabled. Please use the command to disable portcfg fciptunnel it before proceeding. Probable Cause and Recommended Action The firmwareDownload operation was attempting to downgrade a system to Fabric OS v5.1.0 or lower and the IPsec feature is enabled. The IPsec feature is not supported on firmware v5.1.0 or lower, so the firmwareDownload operation failed.

Disable the strict fabric-wide policy using the fddCfg --fabWideSet ""command. The “absent” • setting disables the fabric-wide consistency policy. Retry the firmware download operation. Message The switch is currently configured with “radiuslocal” mode. Please use the command to remedy aaaconfig it before proceeding.

Remove all DCC policies containing more than 256 ports using the secPolicyDelete and secPolicyActivate commands. Retry the firmware download operation. Blade troubleshooting tips Typically, issues that evolve during firmware downloads to the B-Series MP Router blade do not require explicit actions on your part. However, if any of the following events occur, perform the suggestion action to correct: •...

• Ensure that the decompress process created multiple SWBDxx folders (where xx is a number) in the main folder. If the files are unpacked without folder creation, then the firmwareDownload command will be unable to locate the .plist file. 176 Installing and maintaining firmware...

Configuring Directors This chapter contains procedures that are specific to the SAN Director 128 and 4/256 SAN Director models. Because Directors contain interchangeable port blades, install procedures differ from the SAN Switches, domain, port which operate as fixed-port switches. For example, fixed-port models identify ports by number slot/port number.

The following sections tell how to identify ports on SAN Director 2/128 and 4/256 SAN Director, and how to identify ports for zoning commands. By slot and port number The port number is a number assigned to an external port to give it a unique identifier in a switch. To select a specific port in the SAN Director 2/128, and 4/256 SAN Director models, you must identify slot number port number...

values of the first 128 ports, and using portswap on a pair of ports will exchange those ports’ area_ID and index values. Portswap is not supported for ports above 256. Table 44 Table 45 show the area ID and index mapping for core and extended-edge PID assignment. Note that up to 255 areas, the area_ID mapping to the index is one-to-one.

400 MP Router exceptions The first time the 400 MP Router is powered on ports are persistently disabled. Ports will remain disabled until they are configured otherwise. B-Series MP Router blade (FR4- 1 8i) exceptions You may wish to persistently disable B-Series MP Router blade ports that are not configured so they cannot join the fabric when the following scenarios apply: •...

NOTE: Some FRUs in the chassis may use significant power, yet cannot be powered off through software. For example, a missing blower FRU may change the power computation enough to affect how many slots can be powered up. The powerOffListShow command displays the power off order. Blade terminology and compatibility Before configuring a chassis, familiarize yourself with the Director CP blade and port blade nomenclature, as well as the port blade compatibilities.

CP blades CP blades determine the Director type: • If CP2 blades are installed, the Director is a SAN Director 2/128. • If CP4 blades are installed, the Director is a 4/256 SAN Director. Mixed CP blades are not supported on a single chassis, except during specific upgrade procedures SAN Director installation guide detailed in the .

Obtaining slot information For a SAN Director 2/128 configured as two logical switches, the chassis-wide commands display or control both logical switches. In the default configuration, SAN Director 2/128 Directors are configured as one logical switch, so the chassis-wide commands display and control the single logical switch. To display the status of all slots in the chassis Connect to the switch and log in as user or admin.

Configuring a new SAN Director 2/128 with two domains By default, the SAN Director 2/128 is configured as one 128-port switch (one domain). The procedure assumes that the new Director: • Has been installed and connected to power, but is not yet attached to the fabric. •...

Converting an installed SAN Director 2/128 to support two domains Fabric OS versions earlier than v4.4.0 supported only one domain for SAN Director 2/128 models (one 128-port logical switch). When you upgrade a SAN Director 2/128 director to Fabric OS v4.4.0 or later, you can use the chassisConfig command to specify two domains for the Director (two 64-port logical switches, sw0 and sw1).

1 1. Enter the fabricShow command to verify that sw0 and sw1 have been merged with the fabric. Enter the configShow command to verify that zoning parameters were propagated. Setting the blade beacon mode When beaconing mode is enabled, the port LEDs will flash amber in a running pattern from port 0 through port 15 and back again.

Routing traffic About data routing and routing policies Data moves through a fabric from switch to switch and storage to server along one or more paths that make up a route. Routing policies determine the correct path for each frame of data. Whatever routing policy a switch is using applies to the VE_Ports as well.

In a stable fabric, frames are always delivered in order, even when the traffic between switches is shared among multiple paths. However, when topology changes occur in the fabric (for example, if a link goes down), traffic is rerouted around the failure, and some frames could be delivered out of order. Most destination devices tolerate out-of-order delivery, but some do not.

Viewing routing path information The topologyShow and uRouteShow commands provide information about the routing path. Connect to the switch and log in as admin. Enter the topologyShow command to display the fabric topology, as it appears to the local switch. The following entries appear: switch:admin>...

SAN Director 2/128 and 4/256 SAN Director: Use the following syntax: slot portnumber domainnumber urouteshow [ The following entries appear: • Local Domain—Domain number of the local switch. • In Ports—Port from which a frame is received. • Domain—Destination domain of the incoming frame. •...

Viewing routing information along a path You can display detailed routing information from a source port (or area) on the local switch to a destination port (or area) on another switch. This routing information describes the full path that a data stream travels between these ports, including all intermediate switches.

The information that pathInfo provides is: Hops The number of switch-to-switch links (ISLs) transversed. The local switch is hop In Port The port that the frames come in from on this path. For hop 0, the source port. Domain ID The domain ID of the switch.

Using the FC-FC routing service The FC-FC (Fibre Channel) Routing Service provides Fibre Channel routing between two or more fabrics without merging those fabrics. The FC-FC Routing Service can be simultaneously used as a Fibre Channel router and for SAN extension over wide area networks (WANs) using FCIP. The Fibre Channel Routing also supports interoperability with McDATA E/OS v7.x and 8.x.

EX_Port Special types of ports, called an and a VEX_Port function somewhat like an E_Port, but terminate at the switch and do not propagate fabric services or routing topology information from one edge fabric to interfabric Link another. The link between an E_Port and EX_Port, or VE_Port and VEX_Port is called an (IFL).

fabric to another—over the backbone or edge fabric through this virtual domain—without merging the two fabrics. Translate phantom domains are sometimes referred to as “translate domains,” or “xlate domains.” If a B-Series MP Router blade is attached to an edge fabric using an EX_Port, it will create translate phantom domains in the fabric corresponding to the imported edge fabrics with active LSANs defined.

Figure 10 shows another metaSAN consisting of a host in Edge SAN 1 connecting to storage in Edge SAN 2 through a backbone fabric connecting two 4/256 SAN Directors, each containing B-Series MP Router blades. Figure 10 Edge SANs connected through a backbone fabric 4/256 SAN Director 4/256 SAN Director with B-Series...

Upgrade and downgrade considerations The following considerations apply when upgrading to or downgrading from Fabric OS 5.2.x with front domain consolidation: • During an upgrade to Fabric OS v5.2 from Fabric OS v5.1: • The router switch is changed from one front domain per EX_Port to a shared front domain for the EX_Ports that are connected to the same edge fabric.

For more information about the fabricShow command, see the Fabric OS Command Reference Manual. Range of output ports The edge fabric detects only one front domain from an FC router connected through multiple output ports. The output port of the front domain is not fixed to 0; the values can be in a range of 129–255. The range of the output ports connected to the xlate domain is also 129–255.

The target responds by sending frames to the proxy host. Hosts and targets are exported from the edge SAN to which they are attached and, correspondingly, imported into the edge SAN reached through Fibre Channel routing. Figure 1 1 illustrates this concept. Proxy host Host (imported device)

Fibre Channel NAT and phantom domains Within an edge fabric or across a backbone fabric, the standard Fibre Channel FSPF protocol determines how frames are routed from the source Fibre Channel (FC) device to the destination FC device. The source or destination device can be a proxy device.

Performing verification checks Before configuring a fabric to connect to another fabric, you must perform the following verification checks on the switch or director. To perform verification checks Log in to the switch or director as admin and enter the version command. Verify that Fabric OS v5.2.x is installed on the 400 MP Router or B-Series MP Router blade, as shown in the following example.

Enter the secModeShow command to verify that security is disabled. switch:admin_06> secmodeshow Secure Mode: DISABLED. Enter the msPlatShow command to verify that Management Server Platform database is disabled in the backbone fabric. switch:admin_06> msplatshow *MS Platform Management Service is NOT enabled. If any of the items listed in the prior steps are enabled, you can see the Fabric OS Command Reference Manual for information on how to disable the option.

it is connected. For example, on the 4/256 SAN Director with a B-Series MP Router blade, specify the WWN of the Secure Fabric OS switch and the secrets. On the Secure Fabric OS switch, specify the WWN of the front domain (EX_Port or VEX_Port) and the secrets. To view the front domain WWN, issue the portCfgEXPort command on the Fibre Channel router side.

To view a DH-CHAP secret word database Log in as admin to the 400 MP Router or 4/256 SAN Director with a B-Series MP Router blade. At the telnet prompt, enter the secAuthSecret command as shown: switch:admin_06> secauthsecret --show Name ------------------------------------------------------------ 10:00:00:60:69:80:05:14 switch...

Preferred domain ID (1-239). This command enforces the use of the same preferred domain ID for all the ports connected to the same edge fabric. When this option is specified, the preferred domain ID is compared against the online ports. If the domain ID are different, an error message is issued and the command fails.

Configuring LSANs and zoning An LSAN consists of zones in two or more edge or backbone fabrics that contain the same device(s). LSANs essentially provide selective device connectivity between fabrics without forcing you to merge those fabrics. FC routers provide multiple mechanisms to manage interfabric device connectivity through extensions to existing switch management interfaces.

• Switch2 is connected to the 4/256 SAN Director with an B-Series MP Router blade using another EX_Port or VEX_Port • Host has WWN 10:00:00:00:c9:2b:c9:0c (connected to switch1) • Target A has WWN 50:05:07:61:00:5b:62:ed (connected to switch2) • Target B has WWN 50:05:07:61:00:49:20:b4 (connected to switch2) The following procedure shows how to control device communication with LSAN.

On the 4/256 SAN Director with a B-Series MP Router blade, the host and fabric75 are imported, because both are defined by lsan_zone_fabric2 and lsan_zone_fabric75. However, target B defined by lsan_zone_fabric75 is not imported because lsan_zone_fabric2 does not allow it. When a PLOGI, PDISC, or ADISC arrives at the 4/256 SAN Director with a B-Series MP Router blade, the SID and DID of the frame are checked.

To set and display the router port cost Disable any port on which you want to set the router port cost. Enable admin for the EX_Port/VEX_Port with portCfgExport or portCfgVexport. Enter the fcrRouterPortCost command to display the router port cost per EX_Port. switch:admin_06>...

router cost IFLs to another port group (for example ports 8–15). For VEX_Ports, you would use ports in the range of 16-23 or 24-31. You can connect multiple EX_Ports or VEX_Ports to the same edge fabric. The EX_Ports can all be on the same 400 MP Router or 4/256 SAN Director with an B-Series MP Router blade, or they can be on multiple routers.

The default values for R_A_TOV and E_D_TOV are the recommended values for all but very large fabrics (ones requiring four or more hops) or high-latency fabrics (such as ones using long-distance FCIP links). EX_Port frame trunking (optional) In Fabric OS v5.2.x, you can configure EX_Ports to use frame based trunking just as you do regular E_Ports.

To display EX_Port trunking information Log in as an admin and connect to the switch. Enter the switchShow command to display trunking information for the EX_Ports. fcr_switch:admin_06> switchshow The following is an example of a master EX_Port and a slave EX_Port displayed in switchShow. Index Slot Port Address Media Speed State ============================================== ee1000...

• Phantom Node WWN—The display shows the maximum versus the currently allocated phantom switch node WWNs. The phantom switch requires node WWNs for SFPF and manageability purposes. Phantom node names are allocated from the pool sequentially and are not reused until the pool is exhausted and rolls over.

Routing ECHO The FC-FC Routing Service enables you to route the ECHO generated when an fcPing command is issued on a switch, providing fcPing capability between two devices in different fabrics across the 400 MP Router or 4/256 SAN Director with a B-Series MP Router blade. To check for Fibre Channel connectivity problems On the edge Fabric OS switch , make sure that the source and destination devices are properly...

Interoperability with legacy FCR switches The following interoperability considerations apply when administering legacy FCR switches in the same backbone (BB) fabric as switches supporting Fabric OS v5.2.x: • When a legacy switch is connected to the fabric, a RAS log message is issued indicating that the capability of the backbone (BB) fabric is lower as legacy FCR switches (those with XPath OS and Fabric OS v5.1) support lower capability limits.

Connecting to HP M-Series or McDATA SANs Fabric OS 5.2.x lets you connect an HP StorageWorks B-Series fabric to an HP M-Series or McDATA fabric. Because of the high degree of connectivity, the devices across the remote fabrics can be shared. Fabric OS 5.2.x furnishes the FC router with the ability to connect to HP M-Series fabrics in Open mode and McDATA Fabric mode.

NOTE: Trunking is not supported on EX_Ports connected to the McData fabric. Connectivity modes You can connect to M-Series fabrics in both McDATA Open mode or McDATA Fabric mode. If the mode is not configured correctly, the port is disabled for incompatibility. NOTE: HP M-Series and McDATA fabrics are supported in Open mode.

The following example sets port 10/12 to admin-enabled, assigns a Fabric ID of 41 and sets the port to Core PID and to Brocade mode. For complete information about any Fabric OS command, see ”Configuring interoperability mode” on page 399. switch:admin_06>...

For information about edge fabric setup on E_ports and interswitch linking, see ”Administering ISL Trunking” on page 333. For information on EX_Port Frame trunking setup on the FCR switch, see ”Using EX_Port Frame trunking” on page 223. 1 1. Capture a SAN profile of the McDATA and HP SANs, identifying the number of devices in each SAN. By projecting the total number of devices and switches expected in each fabric when the LSANs are active, you can quickly determine the status of the SAN by issuing the commands nsAllShow and fabricShow on the HP fabric.

To prepare the McDATA fabric Log in to SAN Pilot or basic EFC Manager depending upon the firmware release. From the SAN Pilot left navigation menu, select Configure. Select the Zoning tab, then select the Zones tab. (select Configure > Zoning on EFCM). Figure 13 SAN Pilot and EFCM zone screens NOTE:...

In SAN Pilot, click the Add button to add the specified Zone. As shown in the following illustration, when you add the new zone name, the name is displayed in the Pending Zone Set list. Figure 14 Pending Zone Set list in SAN Pilot and EFCM zone screens To add devices that are connected to the HP fabric, select Edit button in the Pending Zone set.

In EFCM, return to the main window and select Configure, then select Activate Zone Set to launch the zone set activation window. Highlight the zone set to be activated and click Next. Click Next again, then Start to activate the zone set. Figure 15 Adding a zone set name in SAN Pilot Regardless of the method used, you should now verify that the new zone set containing your LSAN has...

Move back to the 400 MP Router and B-Series MP Router (FR4- 1 8i) blade and issue the fcrProxyDevShow command on to verify that the devices are configured and exported. switch:admin_06> fcrproxydevshow Proxy Proxy Device Physical State Created Exists in Fabric in Fabric ---------------------------------------------------------------------------- 20:00:00:01:73:00:59:dd...

authenticated using digital certificates and unique private keys provided to the Switch Link Authentication Protocol (SLAP). • Switch binding is a security method for restricting devices that connect to a particular switch. If the device is another switch, this is handled by the SCC policy. If the device is a host or storage device, the Device Connection Control (DCC) policy binds those devices to a particular switch.

Types of FICON configurations There are two types of FICON configurations: single-switch switched point-to-point • configuration (called ) requires that the channel be configured to use single-byte addressing. If the channel is set up for two-byte addressing, then the cascaded configuration setup applies.

NOTE: The Fabric OS CLI supports only a subset of the management features for FICON fabrics. The full set of FICON CUP administrative procedures is available using the Fabric Manager and Web Tools software features. You can also use an SNMP agent and the FICON Management Information Base (MIB). For information on these tools, refer to: •...

• Some 1-Gbit/sec storage devices cannot auto-negotiate speed with the 4/256 SAN Director or SAN Switch 4/32 ports. For these types of devices, configure ports that are connected to 1-Gbit/sec storage devices for fixed 1-Gbit/sec speed. Preparing a switch To verify and prepare a switch for use in a FICON environment, complete the following steps: Connect to the switch and log in as admin.

CAUTION: If Security is enabled via the CLI in the FICON environment, then you should use the following syntax for the secModeEnable command: secmodeenable --lockdown=scc --currentpwd --fcs “*” Issuing the secModeEnable command as it appears above enables security and creates an SCC policy with all of the switches that currently reside in the fabric.

FRU failures To display FRU failure information, connect to the switch, log in as admin, and enter one of the following commands: • For the local switch: ficonshow ilir • For all switches defined in the fabric: ficonshow ilir fabric Swapping ports If a port malfunctions, or if you want to connect to different devices without having to re-wire your swap ports...

Using FICON CUP Host-based management programs manage switches using CUP protocol by sending commands to an emulated control device in Fabric OS. A switch that supports CUP can be controlled by one or more host-based management programs. mode register controls the behavior of the switch with respect to CUP itself, and with respect to the behavior of other management interfaces.

Enabling and disabling FICON management server mode To enable fmsmode: Connect to the switch and log in as admin. Enter ficoncupse fmsmode enable. To disable fmsmode: Connect to the switch and log in as admin. Enter ficoncupsetfmsmode disable. The fmsmode setting can be changed whether the switch is offline or online. If fmsmode is changed while the switch is online, a device reset is performed for the control device and an RSCN is generated with PID 0xDDFE00 (where 0xDD is the domain ID of the switch).

enabled disabled Changing fmsmode from triggers the following events: A device reset is performed on the control device. PDCM is no longer enforced. RSCNs might be generated to some devices if PDCM removal results in changes to connectivity between a set of ports. If a given port was set to “Block”...

Setting mode register bits Use the ficoncupset modereg command to set the FICON CUP mode register bits for the local switch. Consider the following when changing mode register bits: • As required by the CUP protocol, the UAM bit cannot be changed using this command. •...

Troubleshooting The following sources provide useful problem-solving information: • The standard support commands (portLogDump, supportSave, supportShow) or the Fabric Manager Event Log By default, the FICON group in the supportShow output is disabled. To enable the capture of FICON data in the supportShow output, enter the supportshowcfgenable ficon command. After you get confirmation that the configuration has been updated, the following will be collected and appear in the output for the supportShow command: •...

Backing up FICON files The FICON file access facility is used to store configuration files. This includes IPL and other configuration files. The Fabric OS saves the IPL and all other configuration files on the switch. A maximum of 16 configuration files, including the IPL file, are supported.

Sample IOCP configuration file for SAN Switch 2/32, SAN Switch 4/32, SAN Director 2/128, and 4/256 SAN Director switches The channel subsystem controls communication between a configured channel, the control unit, and the device. The I/O Configuration Dataset (IOCDS) defines the channels, control units, and devices to the designated logical partitions (LPARs) within the server;...

In the following sample IOCP configuration file, the UNIT value for FICON CUP definitions is 2032 for any FICON Director regardless of vendor or platform. So all SAN Switch 2/32, SAN Switch 4/32, or SAN Director 2/128 switches require UNIT=2032 for the CUP definition. All Domain IDs are specified in hex values in the IOCP (and not in decimal values);...

Configuring the distributed manager server The Fabric OS Distributed Management Server allows a SAN management application to retrieve information and administer interconnected switches, servers, and storage devices. The management server assists in the autodiscovery of switch-based fabrics and their associated topologies. A client of the management server can find basic information about the switches in the fabric and use this information to construct topology relationships.

To disable platform services Connect to the switch and log in as admin. Enter the msplMgmtActivate command. Press y to confirm deactivation. switch:admin> msplmgmtdeactivate MS Platform Service is currently enabled. This will erase MS Platform Service configuration information as well as database in the entire fabric. Would you like to continue this operation? (yes, y, no, n): [no] y Request to deactivate MS Platform Service in progress..

To add a member to the ACL Connect to the switch and log in as admin. Enter the msConfigure command. The command becomes interactive. At the select prompt, enter 2 to add a member based on its port/node WWN. Enter the WWN of the host to be added to the ACL. At the prompt, enter 1 to verify the WWN you entered was added to the ACL.

Press Enter to update the nonvolatile memory and end the session. switch:admin> msconfigure Done Display the access list Add member based on its Port/Node WWN Delete member based on its Port/Node WWN select : (0..3) [1] 3 Port/Node WWN (in hex): [00:00:00:00:00:00:00:00] 20:00:00:20:37:65:ce:aa *WWN is successfully deleted from the MS ACL.

Working with diagnostic features This chapter provides information on diagnostics and how to display system, port, and specific hardware information. It also describes how to set up system logging mapping (syslogd) and how to set up the offloading of error messages (supportSave). About Fabric OS diagnostics The purpose of the diagnostic subsystem is to evaluate the integrity of the system hardware.

To display the uptime for a switch Connect to the switch and log in as admin. At the command line, enter the uptime command: switch:admin> uptime 4:43am up 1 day, 12:32, 1 user, load average: 1.29, 1.31, 1.27 switch:admin> The uptime command displays the length of time the system has been in operation, the total cumulative amount of uptime since the system was first powered-on, the date and time of the last reboot (applies only to FOS v3.x and v2.6.x systems), the reason for the last reboot (applies only to FOS v3.x and v2.6.x systems), and the load average over the past one minute (1.29 in the preceding example), five minutes...

To display the port statistics Connect to the switch and log in as admin. At the command line, enter the portStatsShow command. Port statistics include information such as number of frames received, number of frames sent, number of encoding errors received, and number of class 2 and class 3 frames received. Refer to the Fabric OS Command Reference Manual for additional portStatsShow command information, such as the syntax for slot or port numbering.

To display a summary of port errors for a switch Connect to the switch and log in as admin. At the command line, enter the portErrShow command. Refer to the Fabric OS Command Reference Manual for additional portErrShow command information. switch:admin>...

Error Type Description frjt Frames rejected with F_RJT fbsy Frames busied with F_BSY Viewing equipment status You can display status for fans, power supply, and temperature. NOTE: The number of fans, power supply units, and temperature sensors depends on the switch type. For detailed specifications on these components, refer to the switch install guide.

To display temperature status Connect to the switch and log in as admin. At the command line, enter the tempShow command: switch:admin> tempshow Index Status Centigrade Fahrenheit ---------------------------------------------------- switch:admin> Information displays for each temperature sensor in the switch. The possible temperature status values are: OK—Temperature is within acceptable range.

Viewing the port log The Fabric OS maintains an internal log of all port activity. The port log stores entries for each port as a circular buffer. Each port has space to store 8000 log entries. When the log is full, the newest log entries overwrite the oldest log entries.

Viewing and saving diagnostic information Enter the supportShow command to dump important diagnostic and status information to the session screen, where you can review it or capture its data. To save a set of files that customer support technicians can use to further diagnose the switch condition, enter the supportSave command.

To enable the automatic transfer of trace dumps Connect to the switch and log in as admin. Enter the following command: switch:admin> traceftp -e To set up periodic checking of the remote server Connect to the switch and log in as admin. Enter the following command: interval switch:admin>...

Troubleshooting This chapter provides information on troubleshooting and the most common procedures used to diagnose and recover from problems. It also includes specific troubleshooting scenarios as examples. Troubleshooting should begin at the center of the SAN — the fabric. Because switches are located between the hosts and storage devices and have visibility into both sides of the storage network, starting with them can help narrow the search path.

Gathering information for technical support If you are troubleshooting a production system, you need to gather data quickly. As soon as a problem is observed, perform the following tasks (if using a dual CP system, run the commands on both CPs): Enter the supportSave command to save RASLOG, TRACE, and supportShow (active CP only) information for the local CP to a remote FTP location.

Use the following steps to retrieve as much of the following informational items as possible prior to contacting HP. Switch information: • Serial number (located on the chassis) • World Wide Name (obtain using licenseIdShow or wwn commands) • Fabric OS version (obtain using the version command) •...

Regardless of the device’s zoning, the fcPing command sends the ELS frame to the destination port. A device can take any one of the following actions: • Send an ELS Accept to the ELS request. • Send an ELS Reject to the ELS request. •...

To check the Name Server (NS) Enter the nsShow command on the switch to which the device is attached: The Local Name Server has 9 entries { Type Pid PortName NodeName TTL(sec) 021a00; 2,3;20:00:00:e0:69:f0:07:c6;10:00:00:e0:69:f0:07:c6; 895 Fabric Port Name: 20:0a:00:60:69:10:8d:fd 051edc; 3;21:00:00:20:37:d9:77:96;20:00:00:20:37:d9:77:96;...

To check for zoning problems Enter the cfgActvShow command to determine if zoning is enabled. If zoning is enabled, it is possible that the problem is being caused by zoning enforcement (for example, two devices in different zones cannot see each other). Confirm that the specific edge devices that need to communicate with each other are in the same zone.

Enter the configure command to edit the fabric parameters for the segmented switch. Refer to the Fabric OS Command Reference Manual for more detailed information. Enable the switch by entering the switchEnable command. Alternatively, you can reconcile fabric parameters by entering the configUpload command for each switch.

To edit zone configuration members Log in to one of the switches in a segmented fabric as admin. Enter the cfgShow command. Print the output from the cfgShow command. Start another telnet session and connect to the next fabric as an administrator. Run the cfgShow command.

Identifying media-related issues This section provides procedures that help pinpoint any media-related issues in the fabric. The tests listed in Table 60 are a combination of structural and functional tests that can be used to provide an overview of the hardware components and help identify media-related issues. •...

To test a switch’s internal components Connect to the switch and log in as admin. Connect the port you want to test to any other switch port with the cable you want to test. Enter the crossporttest -lb_mode 5 command where 5 is the operand that causes the test to be run on the internal switch components (this is a partial list—refer to the Fabric OS Command Reference Manual for additional command information): [-nframes count]—Specify the number of frames to send.

Correcting link failures A link failure occurs when a server or storage is connected to a switch, but the link between the server/storage and the switch does not come up. This prevents the server/storage from communicating through the switch. If the switchShow command or LEDs indicate that the link has not come up properly, use one or more of the following procedures.

Skip point-to-point initialization. The switch changes to point-to-point initialization after the Loop Initialization Soft Assigned (LISA) phase of the loop initialization. This behavior sometimes causes trouble with old HBAs. If this is the case, then: Skip point-to-point initialization by using the portCfgLport Command. To check for a point-to-point initialization failure Enter the switchShow command to confirm that the port is active and has a module that is synchronized.

Correcting marginal links A marginal link involves the connection between the switch and the edge device. Isolating the exact cause of a marginal link involves analyzing and testing many of the components that make up the link (including the switch port, switch SFP, cable, the edge device, and the edge device SFP). To troubleshoot a marginal link: Enter the portErrShow command.

You will need an adapter to run the loopback test for the SFP. Otherwise, run the portloopbacktest on the marginal port using the loopback mode lb=5. Refer to the Fabric OS Command Reference Manual for additional information. Loopback mode Description Port Loopback (loopback plugs) External (SERDES) loopback Internal (parallel) loopback (indicates no external...

• VE_Port—Functions somewhat like an E_Port, but terminates at the switch and does not propagate fabric services or routing topology information from one edge fabric to another. • VEX_Port—A type of VE_Port that connects a Fibre Channel router to an edge fabric. From the point of view of a switch in an edge fabric, an VEX_Port appears as a normal VE_Port.

How port mirroring works Port mirroring reroutes the data frames between two devices to the mirror port. Rerouting introduces latency for the data flow. The latency depends on the location of the mirror port. For a given port, the traffic received from the point of view of the switch can be captured before leaving this ASIC.

There are two types of transmit filter installation • If the E_Port is on the same chip, port mirroring installs an egress (transmitted information) filter on the source port. • If the E_Port is on a different chip, port mirror installs the filter on the C_Ports of the other chip. To better explain how the transmit filter works on each of these types, the method used for both types is described as follows: •...

Creating, deleting, and displaying port mirroring The following section describes how to use the port mirroring feature in the fabric. The method for adding a port mirror connection between two local switch ports and between a local switch port and a remote switch port is the same. To add a port mirror connection Log in to the switch as admin.

Administering NPIV N-Port ID Virtualization (NPIV) enables a single Fibre Channel protocol port to appear as multiple, distinct ports, providing separate port identification within the fabric for each operating system image behind the port (as if each operating system image had its own unique physical port). NPIV assigns a different virtual port ID to each Fibre Channel protocol device.

Displaying and clearing the CRC error count You can use the perfShowAlpaCrc command to display the CRC error count for all AL_PA devices or for a single AL_PA on a specific active L_Port. Example: Displaying the CRC error count for all AL_PA devices on a port switch:admin>...

Adding end-to-end monitors An end-to-end monitor counts the following items for a port: number of words received, number of words transmitted, and number of CRC errors detected in frames. 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 2/8V, SAN Switch 2/16V, SAN Switch 2/32, and SAN Director 2/128 models allow up to eight end-to-end monitors.

Add Monitor 0 to slot 2, port 2 on Switch x, specifying 0x051200 as the SID and 0x1 1 1eef as the DID, as shown in the following example: Monitor 0 counts the frames that have an SID of 0x051200 and a DID of 0x1 1 1eef. For monitor 0, RX_COUNT is the number of words from Host A to Dev B, TX_COUNT is the number of words from Dev B to Host A, and CRC_COUNT is the number of frames in both directions with CRC errors.

The mask is applied to all end-to-end monitors on the port. Individual masks for each monitor on the port cannot be specified. Figure 20 Mask positions for end-to-end monitors Received by port Transmitted from port SID mask DID mask SID mask DID mask perfsetporteemask 1/2, “00:00:ff”...

Monitoring filter-based performance Filter-based performance monitoring counts the number of times a frame with a particular pattern is transmitted by a port. Filter-based monitoring is achieved by configuring a filter for a particular purpose. The filter can be a standard filter (for example, a SCSI read command filter that counts the number of SCSI read commands that have been transmitted by the port) or a user-defined filter customized for your particular use.

• 4/16 SAN Switch and 4/8 SAN Switch models (Fabric OS v5.0.1) Up to 7 different offsets per port (6 offsets when FMS is enabled). You can specify up to four values to compare against each offset. If more than one offset is required to properly define a filter, the bytes found at each offset must match one of the given values for the filter to increment its counter.

The following example displays the monitors on slot 1, port 4 using the perfShowFilterMonitor command (the monitor numbers are listed in the KEY column) and deletes monitor number 1 on slot 1, port 4 using the perfDelFilterMonitor command: switch:admin> perfshowfiltermonitor 1/4 There are 4 filter-based monitors defined on port 4.

Displaying monitor counters Use the perfMonitorShow command to display the monitors on a specified port. For end-to-end counters, you can display either the cumulative count of the traffic detected by the monitors or a snapshot of the traffic at specified intervals. NOTE: 4/16 SAN Switch and 4/8 SAN Switch, SAN Switch 4/32, 4/64 SAN Switch, 400 MP Router, and 4/256 SAN Director outputs do not include CRC counts.

Clearing monitor counters Before you clear statistics counters, verify the valid monitor numbers on a specific port using the perfMonitorShow command, to make sure the correct monitor counters are cleared. To clear statistics counters for all or a specified monitor, use the perfMonitorClear command. After the command has been executed, the telnet shell confirms that the counters on the monitor have been cleared.

Administering Extended Fabrics This chapter contains procedures for using the Extended Fabrics licensed feature, which extends the distance that interswitch links (ISLs) can reach over a dark fiber or DWM connection. The Extended Fabrics feature is not used over FCIP connections over IP WANs. To use extended ISL modes, you must first install the Extended Fabrics license.

versions earlier than v4.0.2 and v3.0.2c, make sure that VC translation link initialization is disabled because these versions do not support it. Choosing an Extended ISL mode Table 67 lists the extended ISL modes for switches that have a Bloom ASIC. You can configure extended ISL modes with the portCfgLongDistance command when the Extended Fabrics license is activated.

For dynamic long distance links, you can approximate the number of buffer credits using the following formula: Buffer credits = [(distance in km) * (data rate) * 1000] / 2112 The data rate is 1.0625 for 1 Gbit/sec, 2.125 for 2 Gbit/sec, and 4.25 for 4 Gbit/sec and Fibre Channel. Configuring external ports The number of ports that can be configured per port group for each switch depends on both port speed and distance.

To configure an extended ISL Connect to the switch and log in as admin. If the fabric contains HP StorageWorks 1 GB extended ISLs, use the switchDisable command to disable the switch and then use the configure command to set the fabric-wide configuration parameter fabric.ops.mode.longDistance to 1 on all switches in the fabric.

Administering ISL Trunking This chapter contains procedures for using the ISL Trunking licensed feature, which optimizes the use of bandwidth by allowing a group of interswitch links to merge into a single logical link. Overview ISL Trunking reduces or eliminates situations that require static traffic routes and individual ISL management to achieve optimal performance.

Connections between SAN Switch 4/32, 4/64 SAN Switch, and 4/256 SAN Director (using FC4- 1 6 and FC4-32 port blades) models support these advanced features: • Up to eight ports in one trunk group to create high performance 32-Gbit/sec ISL trunks between switches •...

• Each physical ISL uses two ports that could otherwise be used to attach node devices or other switches. • Trunking groups can be used to resolve ISL oversubscription if the total capability of the trunking group is not exceeded. •...

Monitoring traffic To implement ISL Trunking effectively, you must monitor fabric traffic to identify congested paths or to identify frequently dropped links. While monitoring changes in traffic patterns, you can adjust the fabric design accordingly, such as by adding, removing, or reconfiguring ISLs and trunking groups in problem areas.

Enabling and disabling ISL trunking You can enable or disable ISL Trunking for a single port or for an entire switch.When you execute the commands portCfgTrunkPort or switchCfgTrunk to update the trunking configuration, the ports for which the configuration applies are disabled and re-enabled with the new trunk configuration. As a result, traffic through those ports could be disrupted.

Setting port speeds For long-distance ports, if a port is set to autonegotiate port speed, the maximum speed (which is 4 Gbit/sec) is assumed for reserving buffers for the port–this wastes buffers if the port is actually running at 2 Gbit/sec.

To set the speed for all of the ports on the switch Connect to the switch and log in as admin. Enter the switchCfgSpeed command. The format is: speedlevel switchcfgspeed Specifies the speed of the link: speedlevel • 0—Auto-negotiating mode. The port automatically configures for the highest speed.

Troubleshooting trunking problems If you have difficulty with trunking, try the solutions in this section. Listing link characteristics If a link that is part of an ISL Trunk fails, use the trunkDebug command to troubleshoot the problem, as shown in the following procedure: Connect to the switch and log in as admin.

Change LD/L1/L2/L0.5 back to L0 (of non-buffer limited ports). If you are in buffer-limited mode on the LD port, then increase the estimated distance. These changes are implemented only after disabling (portDisable) and enabling (portEnable) the buffer-limited port (or buffer-limited switch). Reconfiguring a port to LD from another mode can result in the port being disabled for lack of buffers–this does not apply to the SAN Switch 4/32 and 4/256 SAN Director (using FC4- 1 6 and FC4-32 port blades).

20 Administering Advanced Zoning This chapter provides procedures for using the Advanced Zoning feature. About Zoning Zoning enables you to partition your SAN into logical groups of devices that can access each other. For example, you can partition your SAN into two zones, winzone and unixzone, so that your Windows servers and storage do not interact with your UNIX servers and storage.

Table 81 Approaches to fabric-based Zoning Zoning Description approach Operating Zoning by operating system has issues similar to Zoning by application. In a system large site, this type of zone can become very large and complex. When zone changes are made, they typically involve applications rather than a particular server type.

Zone aliases also simplify repetitive entry of zone objects such as port numbers or a WWN. For example, you can use the name “Eng” as an alias for “10:00:00:80:33:3f:aa:1 1”. A useful convention is to name zones for the initiator they contain. For example, if you use the alias SRV_MAILSERVER_SLT5 to designate a mail server in PCI slot 5, then the alias for the associated zone is ZNE_MAILSERVER_SLT5.

• Prevents hosts from discovering unauthorized target devices. • Ensures that the name server does not return any information to an unauthorized initiator in response to a name server query. • Is exclusively enforced through selective information presented to end nodes through the fabric Simple Name Server (SNS).

name server returns only those devices that are in the same zone as the initiator. Devices that are not part of the zone are not returned as accessible devices. Table 82 shows the various switch models, the hardware Zoning methodology for each, and tips for best usage.

Figure 24 Hardware-enforced overlapping zones WWN_Zone1 Port_Zone1 Core Port_Zone2 WWN_Zone2 Switch Zone Boundaries 22.3b(13.3) domain, port Any zone using both WWNs and entries on the 2 Gbit/sec platform relies on Name Server authentication as well as hardware-assisted (ASIC) authentication, which ensures that any PLOGI/ADISC/PDISC/ACC from an unauthorized device attempting to access a device it is not zoned with is rejected.

Rules for configuring zones Observe the following rules when configuring zones. • If security is a priority, you should use hard Zoning. • The use of aliases is optional with Zoning, and using aliases requires structure when defining zones. However, aliases aid administrators of a zoned fabric to understand the structure and context. •...

To delete an alias Connect to the switch and log in as admin. Enter the aliDelete command. Enter the cfgSave command to save the change to the defined configuration. switch:admin> alidelete “array1” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration.

To add devices (members) to a zone Connect to the switch and log in as admin. Enter the zoneAdd command. Enter the cfgSave command to save the change to the defined configuration. switch:admin> zoneadd “greenzone”, “1,2” switch:admin> zoneadd “redzone”, “21:00:00:20:37:0c:72:51” switch:admin>...

Activating default zones Typically, when you issue the cfgDisable command in a large fabric with thousands of devices, the name server indicates to all hosts that they can communicate with each other. In fact, each host can receive an enormous list of PIDs, and ultimately cause other hosts to run out of memory or crash. To ensure that all devices in a fabric do not see each other during a cfgDisable operation, you can activate a default zone.

Enter the cfgSave command to save the change to the defined configuration. switch:admin> cfgadd “newcfg”, “bluezone” switch:admin> cfgsave You are about to save the Defined Zoning configuration. This action will only save the changes on the Defined configuration. Any changes made on the Effective configuration will not take effect until it is re-enabled.

Maintaining zone objects While you can use the cfgDelete command to delete a zone configuration, there is a quicker and easier way to perform the same task via the zone object commands (zoneObjectExpunge, zoneObjectCopy, and zoneObjectRename). You can also copy and rename zone objects. When you copy a zone object, the resulting object has the same type as the original.

Enter the cfgShow command to verify the renamed zone object is present. If you want the change preserved when the switch reboots, save it to nonvolatile (also known as “flash”) memory by entering the cfgSave command. For the change to become effective, enable the appropriate zone configuration using the cfgEnable command.

• Merging rules Observe these rules when merging zones: Local and adjacent configurations If the local and adjacent zone database configurations are the same, they will remain unchanged after the merge. Effective configurations If there is an effective configuration between two switches, the zone configuration in effect match.

Splitting a fabric If the connections between two fabrics are no longer available, the fabric will segment into two separate fabrics. Each new fabric will retain the same zone configuration. If the connections between two fabrics are replaced and no changes have been made to the zone configuration in either of the two fabrics, then the two fabrics will merge back into one single fabric.

Table 88 Considerations for Zoning architecture Item Description Type of Zoning: hard or If security is a priority, hard Zoning is recommended. soft (session-based) Use of aliases The use of aliases is optional with Zoning. Using aliases requires structure when defining zones. Aliases will aid administrators of zoned fabric in understanding the structure and context.

Configuring and monitoring FCIP tunneling The Fibre Channel over IP (FCIP) Tunneling Service is an optional feature that enables you to use Fibre Channel “tunnels” to connect SANs over IP-based networks. An FCIP tunnel transports data between a pair of Fibre Channel switches. You can have more than one TCP connection between the pair of Fibre Channel switches.

NOTE: Figure 27, because FCIP was configured with VE_Ports, the switches will merge over the IP WAN to become a single fabric. If any of the VE_Ports had been configured as VEX_Ports, that portion of the fabric would remain a separate fabric, but still enable sharing of storage and server devices. Figure 27 illustrates a portion of a Fibre Channel network using FCIP.

Port numbering on the B-Series MP Router blade There are sixteen physical Fibre Channel ports and two physical GbE ports on the B-Series MP Router blade. The two GbE ports (ge0 and ge1) support up to eight FCIP tunnels each (each FCIP tunnel is represented and managed as a VE_Port or VEX_Port).

Port Numbering on the 400 MP Router You do not need to specify slot numbers for the 400 MP Router. Refer to the GbE ports as ge0 and ge1, and the Fibre Channel ports are numbered 0 through 15. Moving from left to right on the front of the chassis, the sixteen Fibre Channel ports, followed by the 2 GbE ports.

Table 90 IPSec terminology Term Definition 3DES Triple DES is a more secure variant of DES, it uses 3 different 56-bit keys to encrypt blocks of 64-bit plain text. The algorithm is FIPS-approved for use by Federal agencies. Encapsulating Security Payload is the IPSec protocol that provides confidentiality, data integrity and data source authentication of IP packets, and protection against replay attacks.

IKE negotiates SA parameters and authenticates the peer using the preshared key authentication method. Once the 2 phases of the negotiation are completed successfully, the actual encrypted data transfer can begin. IPSec policies are managed using the policy command. You can configure up to 32 IKE and 32 IPSec policies. Policies cannot be modified; they must be deleted and recreated in order to change the parameters.

Managing policies Use the policy command to create, delete, and show IKE and IPSec policies. To create a new policy Log in to the switch as admin. At the command prompt, type: policy --create type number [-enc encryption_method][-auth authentication_algorithm] [-pfs off|on] [-dh DH_group] [-seclife secs] where: The type of policy being created (IKE or IPSec) and the number for this type of type and number...

Configuring FCIP Tunnels You can create only one FCIP tunnel on a given pair of IP address interfaces (local and remote). You can create multiple FCIP tunnels on a single IP interface if either the local or remote IP interface is unique and does not have any other FCIP tunnel on it.

Verifying IP connectivity After you add the IP addresses of the routes, enter the portCmd ping command to ping a destination IP address from one of the source IP interfaces on the GbE port and verify the Ethernet IP to IP connectivity. This verification also ensures that data packets can be sent to the remote interface.

Fastwrite and tape pipelining When the FCIP link is the slowest part of the network and it affects speed, consider using fastwrite and tape write acceleration, called “tape pipelining.” Supported only in Fabric OS 5.2.x and higher, fastwrite and tape pipelining are two features that provide accelerated speeds to FCIP tunnels in some configurations: •...

Supported configurations To help understand the supported configurations, consider the configurations shown in the two figures below. In both cases, there are no multiple equal-cost paths. In Figure 32, there is a single tunnel with fastwrite and tape pipelining enabled. In Figure 33, there are multiple tunnels, but none of them create a multiple equal-cost path.

Configuring FCIP tunnels After you have verified licensing and connectivity between source and destination IP interfaces, you can configure FCIP tunnels. As you plan the tunnel configurations, be aware that uncommitted rate tunnels use a minimum of 1000 Kb/sec, up to a maximum of available uncommitted bandwidth on the GbE port. The total bandwidth available on a GbE port is 1 Gbit/sec.

FCIP Tunnel modify and delete options NOTE: Using the tunnel Modify option disrupts traffic on the specified FCIP tunnel for a brief period of time. Following is the syntax for the portCfg fcipTunnel command to modify FCIP tunnels (you must specify at least one characteristic to modify): portcfg fciptunnel [slot/][ge]port args [optional_args] modify <tunnel_num>...

Verifying the FCIP tunnel configuration After you have created local and remote FCIP configurations, use the portEnable [slot/]port command to enable the port. It is recommended that you verify that the tunnel configuration operation succeeded using the portShow fcipTunnel command (be sure to specify the slot/port numbers and number of tunnels). Look at the “Status”...

About the Ipperf option The WAN tool ipPerf (referred to simply as “ipPerf” in this chapter) is an option of the Fabric OS portCmd command. This option allows you to specify the slot and port information for displaying performance statistics for a pair of ports. For this basic configuration, you can specify the IP addresses of the endpoints, target bandwidth for the path, and optional parameters such as the length of time to run the test and statistic polling interval.

WAN Tool performance characteristics The following table lists the end-to-end IP path performance characteristics that you can display using the portCmd ipPerf command and option. All four of the base ipPerf performance characteristics (bandwidth, loss, RTT, PMTU) are provided in the command output in Fabric OS 5.2.0 or higher. Figure 35 WAN Tool performance characteristics Characteristic...

To start an ipPerf session Configure the receiver test endpoint using the CP CLI. The syntax for invoking the receiver test endpoint using ipPerf for slot8, port ge0 on an FR4- 1 8i is as follows: portcmd --ipperf 8/ge0 -s 192.168.255.10 -d 192.168.255.100 -R Configure the sender test endpoint using a similar CP CLI.

Configuring the PID format PIDs Port identifiers (called ) are used by the routing and zoning services in Fibre Channel fabrics to identify ports in the network. All devices in a fabric must use the same PID format, so when you add new equipment to your SAN, you might need to change the PID format on legacy equipment.

Impact of changing the fabric PID format If your fabric contains switches that use Native PID, it is recommended that you change the format to Core PID before you add the new, higher port count switches and Directors. Also, it is recommended that you use Core PID when upgrading the Fabric OS version on 2000 and 3000 series switches.

Table 92 shows various combinations of existing fabrics, new switches added to those fabrics, and the recommended PID format for that combination. The criteria for the recommendations are first to eliminate host reboots, and second to minimize the need for a host reboot in the future. Table 92 PID format recommendations for adding new switches Existing Fabric OS...

Evaluating the fabric In addition to this section, refer to the HP StorageWorks SAN Design reference guide for information on evaluating the fabric: http://h18000.www1.hp.com/products/storageworks/san/documentation.html If there is the possibility that your fabric contains host devices with static PID bindings, you should evaluate the fabric to: •...

It is also important to understand how multipathing software reacts when one of the two fabrics is taken offline. If the time-outs are set correctly, the failover between fabrics should be transparent to the users. You should use the multipathing software to manually fail a path before starting maintenance on that fabric.

After the fabric has reconverged, use the cfgEnable command to update zoning. Update their bindings for any devices manually bound by PID. This might involve changing them to the new PIDs, or preferably changing to WWN binding. For any devices automatically bound by PID, two options exist: a.

Determine if the current switch firmware versions meet the minimum supported version levels. Table 93 lists the earliest Fabric OS version levels that support Extended Edge PID format. Use this table to determine if you need to upgrade the firmware in the switches in your fabric before you change the PID format.

Converting port number to area ID Except for the following cases, the area ID is equal to the port number: • when you perform a port swap operation • when you enable Extended Edge (also known as “displaced PID”) PID on the Director If you are using Extended Edge PID format (for example, the 4/256 SAN Director with configuration option 5) and would like to map the output of the port number to the area ID, use the following formula (for ports 0- 1 27):...

When the port number is greater than or equal to 128, the area ID and port number are the same. Figure 29 shows a 4/256 SAN Director with Extended Edge PID. Figure 29 4/256 SAN Director with Extended Edge PID 392 Configuring the PID format...

If you are not using multipathing software, unmount the volumes from their mount points using umount. The command usage is umount <mount_point>. For example: umount /mnt/jbod If you are using multipathing software, use that software to remove one fabric’s devices from its configuration.

Verify that the port area IDs have been swapped: portswapshow A table is shows the physical port numbers and the logical area IDs for any swapped ports. Disable the port swap feature: portswapdisable Fabric OS 5.2.x administrator guide 397...

Configuring interoperability mode This appendix provides information on setting up a heterogeneous fabric that includes HP StorageWorks switches and switches from other manufacturers. The interoperability mode enables HP StorageWorks switches and others to exchange interoperability parameters, allowing their fabrics to merge into one fabric with one principal switch and unique domain IDs.

Supported features The following features are supported on HP StorageWorks switches in interoperability mode: • Fabric Watch • Fabric Access API functions Accessible from HP StorageWorks switches only, but switch information for non- HP StorageWorks switches is reported. The object information and zoning actions are configurable from the API. •...

have a McDATA switch between two HP StorageWorks switches if you are managing zoning from the HP StorageWorks switches. • LC IBM GBICs are not supported if they are connected to a McData ISL. • When a switch gets a new domain ID assigned through a fabric reconfiguration, the new domain ID is written to nonvolatile memory and the old domain ID value is overwritten.

You can use the cfgSize command to check both the maximum available size and the currently saved size. If you believe you are approaching the maximum, you can save a partially completed zoning configuration and use the cfgSize command to determine the remaining space Zone name restrictions The name field must contain the ASCII characters that actually specify the name, not including any required fill bytes.

Enter the interopmode 0 command to disable interoperability. This command resets a number of parameters and disables interactive mode. You must reboot the switch after changing the interoperability mode: switch:admin> switchdisable switch:admin> interopmode 0 The switch effective configuration will be lost when the operating mode is changed; do you want to continue? (yes, y, no, n): [no] y done.

Table 94 Account/password characteristics matrix (continued) Topic v4.0.0 v4.1.0 to v4.2.0 v4.4.0 to 5.1.x Does a user need to know Yes, except when Old password is Old password is the old passwords when the root user required only when required only when changing passwords using changes another changing password...

Password prompting behaviors Table 95 describes the expected password prompting behaviors of various Fabric OS versions. Table 95 Password Prompting Matrix Topic v4.0.0 v4.1.0 and later Must all password prompts No. Partial changes of all No. Partial changes of all be completed for any change four passwords are four passwords are...

Using Remote Switch This appendix describes the concepts and procedures for using the Remote Switch feature and contains the following topics: About Remote Switch The Remote Switch feature, which aids in ensuring gateway compatibility, was formerly a licensed feature. Its functionality is now available as part of the Fabric OS standard feature set through the use of the portCfgIslMode command.